How to authenticate with OWASP ZAP baseline scan

0
votes

I'm trying to run baseline scan with OWASP ZAP on website that uses authentication. It uses JSON-based Authentication. But when I run it I see in the results that it is not logged in.

I run it like this:

docker run -v C:/ZAP/:/zap/wrk owasp/zap2docker-weekly zap-baseline.py -t https://myaddress.com -n somecontext.context -z "-config forcedUser.setForcedUserModeEnabled=true"

Here's the manual test I did.

  1. Runned ZAP in GUI mode
  2. Imported context
  3. Turned on "Forced User Mode" by clicking the button
  4. Runned automatic scan. And it worked, so i presume the context is ok

The docker mounting (-v) seems to be ok too. When I add -r report.xml I can see the report in C:/ZAP/ after zap finishes.

1
authenticationowaspzap
Do you find a way to auth with baseline scan script yet?Tien Dung Tran
I've used this github.com/ICTU/zap-baseline as @kingthorin suggested. But had to modified it to work with my app.Bender Bending Rodríguez

1 Answers

0
votes

The baseline scan is exactly as described an limited feature baseline: https://github.com/zaproxy/zaproxy/wiki/ZAP-Baseline-Scan

ICTU have a third party modification of the baseline scan that supports auth: https://github.com/ICTU/zap-baseline